[sanesecurity] Re: ClamAV &

• From: Grayhat <grayhat@xxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Fri, 31 Mar 2017 09:02:38 +0200

:: On Thu, 30 Mar 2017 23:27:51 +0100
:: <9ff9b14a-af93-39a1-e06d-9ce81ee33557@xxxxxxxxxxxxxxxxxx>
:: Dave Osbourne <dave@xxxxxxxxxxxxxxxxxx> wrote:

Hi,

Sanesecurity is likely not the correct forum to pose this on, but
hoping the the commonality at least sees someone with an idea...

I've had this come through a mail relay: P8184141.JPG.zip

Kaspersly detects it as:

    *Backdoor.Win32.Dridex.ef*
    File size 116.54 KB
    File type ARC/ZIP
    Scan date Mar 30 2017 23:16:50
    Databases release date Mar 30 2017 21:34:58 UTC
    MD519af6d64dd7fe289886dd2241c0bc25c
    SHA1e13fbb78710f6b3fa1981b9e958494b1f6de6d16
    SHA25621e4096d306eb7ff1c29e41ff82ca4958ccbf40cf331d0e9838fc2b52a8d511c

I'm using Clam 0.99.2 with updated signatures... this my result

    </many warnings about cli_loadldb: logical signature for XXX uses
    PCREs but support is disabled, skipping/>
    P8184141.JPG.zip: OK

    ----------- SCAN SUMMARY -----------
    Known viruses: 6402627
    Engine version: 0.99.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.39 MB
    Data read: 0.11 MB (ratio 3.45:1)
    Time: 24.838 sec (0 m 24 s)

Did you try scanning the file using https://virustotal.com/ ? Also, I
wonder if the missing detection may be related to the warnings you see
oh and ... which signatures are you using ?

• Follow-Ups:
  • [sanesecurity] Re: ClamAV &
    • From: Grayhat

• References:
  • [sanesecurity] ClamAV &
    • From: Dave Osbourne

Other related posts:

• » [sanesecurity] ClamAV &- Dave Osbourne
• » [sanesecurity] Re: ClamAV & - Grayhat
• » [sanesecurity] Re: ClamAV &- Grayhat
• » [sanesecurity] Re: ClamAV &- Steve Basford
• » [sanesecurity] Re: ClamAV &- TR Shaw

1. Home
2. sanesecurity
3. Archive
4. 03-2017

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---